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Author's Abstract 



Predicate-action diagrams, which are similar to standard state-transition 
diagrams, are interpreted as formulas of TLA (the Temporal Logic of Ac- 
tions). We explain how these diagrams can be used to describe aspects of a 
specification, even when the complete specification cannot be written as a 
diagram, and to illustrate proofs. 
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1 Introduction 



Pictures aid understanding. A simple flowchart is easier to understand than 
the equivalent programming-language text. However, complex pictures are 
confusing. A large, spaghetti-like flowchart is harder to understand than a 
properly structured program text. 

Pictures are inadequate for specifying complex systems, but they can 
help us understand particular aspects of a system. For a picture to provide 
more than an informal comment, there must be a formal connection between 
the complete specification and the picture. The assertion that the picture 
is a correct description of (some aspect of) the system must be a precise 
mathematical statement. 

We use TLA (the Temporal Logic of Actions) to specify systems. In 
TLA, a specification is a logical formula describing all possible correct behav- 
iors of the system. As an aid to understanding TLA formulas, we introduce 
here a type of picture called a predicate-action diagram. These diagrams 
are similar to the various kinds of state-transition diagrams that have been 
used for years to describe systems, starting with Mealy and Moore ma- 
chines [5, 6]. We relate these pictures to TLA specifications by interpreting 
a predicate-action diagram as a TLA formula. A diagram denoting formula 
D is a correct description of a system with specification S iff (if and only 
if) S implies D. We therefore provide a precise statement of what it means 
for a diagram to describe a specification. 

We use predicate-action diagrams in three ways that we believe are new: 

• To describe aspects of a specification even when it is not feasible to 
write the complete specification as a diagram. 

• To draw different diagrams that provide complementary views of the 
same system. 

• To illustrate formal correctness proofs. 

Section 2 is a brief review of TLA; a more leisurely introduction to TLA 
appears in [3]. Section 3 describes predicate-action diagrams, using an n- 
input Muller C-element as an example. It shows how diagrams are used to 
describe aspects of a complete specification, and to provide complementary 
views of a system. Section 4 gives another example of how predicate- action 
diagrams are used to describe a system, and shows how they are used to 
illustrate a proof. 
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2 TLA 



We now describe the syntax and semantics of TLA. The description is 
illustrated with the formulas defined in Figure 1. (The symbol = means 
equals by definition.) 

We assume an infinite set of variables (such as x and y) and a class of 
semantic values. Our variables are the flexible variables of temporal logic. 
TLA also includes the rigid variables of predicate logic, but we ignore them 
here. The class of values includes numbers, strings, sets, and functions. 

A state is an assignment of values to variables. A behavior is an infinite 
sequence of states. Semantically, a TLA formula is true or false of a behavior. 
Syntactically, TLA formulas are built up from state functions using Boolean 
operators (-1, A, V, =>■ [implication], and = [equivalence]) and the operators 
' and □, as described below. TLA also has a hiding operator 3, which we 
do not use here. 

A state function is a nonBoolean expression built from variables, con- 
stants, and constant operators. Semantically, it assigns a value to each 
state — for example x + 1 assigns to state s one plus the value that s as- 
signs to the variable x. A state predicate (often called just a predicate) is a 
Boolean expression built from variables, constants, and constant operators 
such as +. Semantically, it is true or false for a state — for example the 
predicate Initq, is true of state s iff s assigns the value zero to both x and y. 

An action is a Boolean expression containing primed and unprimed vari- 
ables. Semantically, an action is true or false of a pair of states, with primed 
variables referring to the second state — for example, action .Mi is true for 
(s, t) iff the value that state t assigns to x equals one plus the value that 
state s assigns to x, and the values assigned to y by states s and t are equal. 
A pair of states satisfying an action A is called an A step. Thus, an .Mi 
step is one that increments x by one and leaves y unchanged. 

If / is a state function or state predicate, we write /' for the expression 

Init<s, = {x = 0) A (y = 0) 

Mi = (x> = x + 1) A (t/ = y) M 2 = (y' = y + 1) A (x> = x) 
M = M1WM2 

$ = Init* A 0[M] {x , y) A WF {Xiy) (Mi) A WF ( , )y> (A^ 2 ) 

Figure 1: The TLA formula $ describing a simple program that repeatedly 
increments x or y. 
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obtained by priming all the variables of the /. For example (x + 1)' equals 
x' + 1, and Init'$ equals (x' = 0) A (y' = 0). For an action A and a state 
function v, we define [A] v to equal A V (V = v ), so a [A]^ step is either an A 
step or a step that leaves the value of v unchanged. Thus, a [A4 1]^^ step 
is one that increments x by one and leaves y unchanged, or else leaves the 
ordered pair (x, y) unchanged. Since a tuple is unchanged iff each component 
is unchanged, a [A4 1]^^ step is one that increments x by one and leaves y 
unchanged, or else leaves both x and y unchanged. We define (A) v to equal 
AA(v'^v), so an {M-\)( x ,y) step is an Ai\ step that changes x or y. Since 
an A4\ step leaves y unchanged, an {M-\)( x ,y) step is a step that increments 
a; by 1, changes the value of x, and leaves y unchanged. 

We say that an action A is enabled in state s iff there exists a state t 
such that (s, t) is an A step. For example, Ai\ is enabled iff it is possible 
to take a step that increments x by one, changes x, and leaves y unchanged. 
Since x + 1 / x for any natural number x, action {M-\)( x ,y) is enabled in any 
state in which a; is a natural number. If oo + 1 equals oo, then {M-i)( x , y ) is 
not enabled in a state in which x equals oo. 

A TLA formula is true or false of a behavior. A predicate is true of a 
behavior iff it is true of the first state. An action is true of a behavior iff it is 
true of the first pair of states. As usual in temporal logic, if F is a formula 
then OF is the formula meaning that F is always true. Thus, Ulnit^ is 
true of a behavior iff x and y equal zero for every state in the behavior. 
The formula □[A / i]^ )2/ ^ is true of a behavior iff each step (pair of successive 
states) of the behavior is a [A^]^^ step. 

Using □ and "enabled" predicates, we can define fairness operators WF 
and SF. The weak fairness formula WF„(«4) asserts of a behavior that there 
are infinitely many (A) v steps, or there are infinitely many states in which 
(A) v is not enabled. In other words, WF V (A) asserts that if (A) v becomes 
enabled forever, then infinitely many (A) v steps occur. The strong fairness 
formula SF„(«4) asserts that either there are infinitely many (A) v steps, or 
there are only finitely many states in which (A) v is enabled. In other words, 
SF„(«4) asserts that if (A) v is enabled infinitely often, then infinitely many 
(A) v steps occur. 

The standard form of a TLA specification is Init A □[A / ']^ A L, where Init 
is a predicate, Af is an action, v is a state function, and L is a conjunction 
of fairness conditions. This formula asserts of a behavior that (i) Init is 
true for the initial state, (ii) every step of the behavior is an Af step or 
leaves v unchanged, and (iii) L holds. Formula <I> of Figure 1 is in this form, 
asserting that (i) initially x and y both equal zero, (ii) every step either in- 
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crements x by one and leaves y unchanged, increments y by one and leaves 
x unchanged, or leaves both x and y unchanged, and (iii) the fairness con- 
dition WF^ ^(A-li) AWF( IiS )(M2) holds. Formula WF^ ^(A-li) asserts 
that there are infinitely many {M-\)( x ,y) steps or {M-\)( x ,y) is infinitely often 
not enabled. Since (i) and (ii) imply that x is always a natural number, 
{M-i)( x ,y) is always enabled. Hence, WF^ , y ){M-i) implies that there are in- 
finitely many {M-\)( x ,y) steps, so x is incremented infinitely often. Similarly, 
WF^^A^) implies that y is incremented infinitely often. Putting this 
all together, we see that $ is true of a behavior iff (i) x and y are initially 
zero, (ii) every step increments either x or y by one and leaves the other 
unchanged or else leaves both x and y unchanged, and (iii) both x and y are 
incremented infinitely many times. 

The formula Init A n[A/]^ is a safety property [2]. It describes what steps 
are allowed, but it does not require anything to happen. (The formula is 
satisfied by a behavior satisfying the initial condition in which no variables 
ever change.) Fairness conditions are used to specify that something must 
happen. 

3 Predicate- Action Diagrams 
3.1 An Example 

We take as an example a Muller C-element [4]. This is a circuit with n binary 
inputs in[l], . . ., in[n] and one binary output out, as shown in Figure 2. As 
the figure indicates, we are considering the closed system consisting of the 
C-element together with its environment. Initially, all the inputs and the 
output are equal. The output becomes 0 when all the inputs are 0, and it 
becomes 1 when all the inputs are 1. After an input changes, it must remain 
stable until the output changes. 

The behavior of a 2-input C-element and its environment is described 
by the predicate- action diagram of Figure 3(a), where C is defined by 

C(i,j, k) = (in[l] = i) A (m[2] = j) A (out = k) 

The short arrows, with no originating node, identify the nodes labeled 
C(0, 0, 0) and C(l, 1, 1) as initial nodes. They indicate that the C-element 
starts in a state satisfying C(0, 0, 0) or C(l,l,l). The arrows connecting 
nodes indicate possible state transitions. For example, from a state satisfy- 
ing C(l, 1, 1), it is possible for the system to go to a state satisfying either 
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Figure 2: A Muller C-element. 



C(0, 1, 1) or C(1,0,1). More precisely, these arrows indicate all steps in 
which the triple (m[l], in[2], out) changes — that is, transitions in which at 
least one of in[l], m[2], and out changes. Steps that change other variables — 
for example, variables representing circuit elements inside the environment — 
but leave in[2], out) unchanged are also possible. 

The predicate- action diagram of Figure 3(a) looks like a standard state- 
transition diagram. However, we interpret it formally not as a conventional 
state machine, but as the TLA formula of Figure 3(b). 1 This formula has the 
form Init A /\ 0 F 0 , where Init is a state predicate and there is one conjunct 
F 0 for each node o. The predicate Init is C(0, 0, 0) V C(l, 1, 1). Each F 0 
describes the possible state changes starting from a state described by node 
o. For example, the formula F 0 for the node labeled C(l, 1, 0) is 

□ [C(1,1,0) C(l, 1,1)1/ 

in[l] ,in[2] ,out) 

A predicate-action diagram represents a safety property; it does not include 
any fairness conditions. 

Figure 3(a) is a reasonable way to describe a 2-input C-element. How- 
ever, the corresponding diagram for a 3-input C-element would be quite 
complicated; and there is no way to draw such a diagram for an ra-input 
circuit. The general specification is written directly as a TLA formula in 
Figure 4. The array of inputs is represented formally by a variable in whose 
value is a function with domain {l,...,n}, where square brackets denote 
function application. (Formally, n is a rigid variable — one whose value is 
constant throughout a behavior.) We introduce two pieces of notation for 
representing functions: 

: A list of formulas bulleted by A or V denotes their conjunction or disjunction. 
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(a) A predicate- action diagram. 




(b) The corresponding TLA formula. 

A C*(0,0,0)V (7(1,1,1) 

AD[C(0,0,0) => C(l,0,0)'VC7(0,l,0)'] (m[1]im[2])OUt> 
AD[C(1,0,0) => C(l,l,0)'] (m[1]im[2W> 

AD[C(0,0,1) => C(0,0,0)'] (m[1]im[2])OUt> 

Figure 3: Predicate- Action diagram of (m[l], m[2], out) for a 2-input C- 
element, and the corresponding TLA formula. 

• [i G S i— > e(i)] denotes the function / with domain S such that f[i] 
equals e(i) for every i in S. 

• [f except = e] denotes the function g that is the same as / except 
that g[i] equals e. 

The formulas defined in Figure 4 have the following interpretation. 

Initc A state predicate asserting that out is either 0 or 1, and that in is 
the function with domain {1, . . ., n} such that in[i] equals out for all 
i in its domain. 

Input (i) An action that is enabled iff in[i] equals out. It complements in[i], 
leaves in[j] unchanged for j / i, and leaves out unchanged. (The 
symbol i is a parameter.) 

Output An action that is enabled iff all the in[i] are different from out. It 
complements out and leaves in unchanged. 

Next An action that is the disjunction of Output and all the Input (i) actions, 
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Initc = A out G {0, 1} 

A in = [i G { 1 , • • • , n } h- > o«i] 

Input (i) = A = o«i 

A m' = [m except ![i] = 1 — ] 

A o«i' = o«i 
Output = A Vi G {1, • • • , n} : in[i] ^ out 

A o«i' = 1 — out 

A m' = in 

Next = Output V 3 i G {1, . . . , n} : Input (i) 

Tl c = Initc A □[A r ea:i]( m)0Ut ) A WF^^^ (Output) 

Figure 4: A TLA specification of an n-input C-element. 

for i G {1, . . ., n}. Thus, a Next step is either an Output step or an 
Input (i) step for some input line i. 

He A temporal formula that is the specification of the C-element (together 
with its environment). It asserts that (i) Initc holds initially, (ii) ev- 
ery step is either a Next step or else leaves (in, out) unchanged, and 
(iii) Output cannot be enabled forever without an Output step occur- 
ring. The fairness condition (iii) requires the output to change if all 
the inputs have; inputs are not required to change. (Since predicate- 
action diagrams describe only safety properties, the fairness condition 
is irrelevant to our discussion.) 

The specification lie is short and precise. However, it is not as reader- 
friendly as a predicate- action diagram. We therefore use diagrams to help 
explain the specification, beginning with the predicate- action diagram of 
Figure 5. It is a diagram of the state function out), meaning that 

it describes transitions that change out). It is a diagram for the 

formula He, meaning that it represents a formula that is implied by He- 
The diagram shows the synchronization between the C-element's ith input 
and its output. 

We can draw many different predicate-action diagrams for the same spec- 
ification. Figure 6 shows another diagram of out) for He- It is simpler 
than the one in Figure 5, but it contains less information. It does not in- 
dicate that the values of in[i] and out are always 0 or 1, and it does not 
show which variable is changed by each transition. The latter information is 
added in the diagram of Figure 7(a), where each transition is labeled with an 
action. The label Input (i) on the left-to-right arrow indicates that a transi- 
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Figure 5: A predicate- action diagram of out) for the specification lie 

of an n-input C-element, where 1 < i < n. 




Figure 6: Another predicate-action diagram of out) for lie*, where 

1 < i < n. 

tion from a state satisfying in[i] = out to a state satisfying in[i] / out is an 
Input (i) step. This diagram represents the TLA formula of Figure 7(b). 

Even more information is conveyed by a predicate-action diagram of 
(in, out), which also shows transitions that leave in[i] and out unchanged 
but change in[j] for some j / i. Such a diagram is drawn in Figure 8(a). 
Figure 8(b) gives the corresponding TLA formula. 

There are innumerable predicate-action diagrams that can be drawn for 
a specification. Figure 9 shows yet another diagram for the C-element speci- 
fication Lie*. Since we are not relying on these diagrams as our specification, 
but simply to help explain the specification, we can show as much or as 
little information in them as we wish. We can draw multiple diagrams to 
illustrate different aspects of a system. Actual specifications are written as 
TLA formulas, which are much more expressive than pictures. 
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(a) A predicate-action diagram of out). 

Input(i) 




m[i] = out J ( in[i] 7= out 

Output 



(b) The corresponding TLA formula. 

A in[i] = out 

A □ [(««[)'] = out) => Input (i) A {in'[i] ^ out')\ m ^ out ) 
A □ [(««[)'] ^ out) => Output A (in'[i] = out')\ m ^ out ) 

Figure 7: A more informative predicate-action diagram of out) for 

lie, an d the corresponding TLA formula. 



(a) A predicate-action diagram of (in, out). 

3 j / ijjnput(j) 3 j / i\Jnput(j) 

Input(i) 



== i : i«| 

o 



i : lnpi 

Q 



-* ^i,n [i] = ou ^ j^ ^ ^^ ^^ v " ^ 7= 



Output 



(b) The corresponding TLA formula 
A m[i] = out 

A □ 



A □ 



/ • r.-i _ ,\ / V Input (i) A 7= o«i') 

(m[zj - => \y (3 j ^ i : Input(j)) A (in'[i] = out') 

/ • r-n / ,\ Output A = o«i') 

(m[zj 7= => y v (3 j ^ i : Input (j)) A (in'[i] 7^ out') 



( in , out) 



tit) 



Figure 8: A predicate-action diagram of (in, out) for Lie*, and the corre- 
sponding TLA formula, where 1 < i < n. 
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out' = 1 — out 



Figure 9: Yet another predicate-action diagram of (in, out) for He- 

3.2 A Formal Treatment 

3.2.1 Definition 

We first define precisely the TLA formula represented by a diagram. For- 
mally, a predicate- action diagram consists of a directed graph, with a subset 
of the nodes identified as initial nodes, where each node is labeled by a state 
predicate and each edge is labeled by an action. We assume a given diagram 
of a state function v and introduce the following notation. 

N The set of nodes. 

/ The set of initial nodes. 

E(n) The set of edges originating at node n. 

d(e) The destination node of edge e. 

P n The predicate labeling node n. 

8 e The action labeling edge e. 

The formula A represented by the diagram is defined as follows. 
Init A = 3 n G / : P n 
A n = 3e G E{n) : E e A P' d{e) 
A = Init A A Vra G N : 0[P n =>■ A n ] v 

When no explicit label is attached to an edge e, we take E e to be true. When 
no set of initial nodes is explicitly indicated, we take / to be JV. With the 
usual convention for quantification over an empty set, A n is defined to equal 
false if there are no edges originating at node n. 

3.2.2 Another Interpretation 

Another possible interpretation of the predicate-action diagram is the for- 
mula A, defined by 

A = Init A A a[3 n G N : P n A A n ] v 
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This is perhaps a more obvious interpretation — especially if the diagram is 
viewed as a description of a next-state relation. We now show that A always 
implies A, and that the converse implication holds if the predicates labeling 
the nodes are disjoint. 

(A) A implies A. 

Proof: A simple invariance proof shows that A implies □ (3ra G N : P n ). 
We then have: 

A = Init A A Vra G N : 0[P n =>■ A n ] v 

= Init A A n([3n G N : P n ] v ) A Vra G N : 0[P n =>■ A n ] v 
[because A implies D(3n G N : P n )] 

= Init A A n[(3n G TV : P n ) A V ra G N : (P n =>• „4 n )]« 
[because □ distributes over conjunction] 

=> Init A A □[]n£JV:P n A AJ^ 

[by propositional logic, since B =>■ C implies □[Sjt, =>■ n[C]t,] 

^ A 

(B) If —>(P m A P„) holds for all m, ra in W with m / ra, then A implies A. 
Proof: By propositional logic, the hypothesis implies 

(3n£JV:P„Ai) ^ (V ra G AT : P n => A n ) 

The result then follows from simple temporal reasoning, essentially by the 
reverse of the string of equivalences and implication used to prove (A). D 

We usually label the nodes of a predicate-action diagram with disjoint 
predicates, in which case (A) and (B) imply that the interpretations A and 
A are equivalent. Diagrams with nondisjoint node labels may occasionally 
be useful; A is the more convenient interpretation of such diagrams. 

3.3 Proving a Predicate- Action Diagram 

Saying that a diagram is a predicate-action diagram for a specification II 
asserts that II implies the formula A represented by the diagram. Formula 
II will usually have the form Initu A □[.Mju A L, where L is a fairness 
condition. Formula A equals Init A A Vra G N : 0[P n =^ A n ] v . To prove 
II =>■ A, we prove: 

1. Initu =>■ Init A 
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2. Train A □ [A4]„ => a [P n => A n ] vi for each node n. 

The first condition is an assertion about predicates; it is generally easy to 
prove. To prove the second condition, one usually finds an invariant Inv such 
that Train A □ [A'l] u implies Olnv, so II implies 0[Ai A Inv] u . The second 
condition is then proved by showing that [Ai A Inv] u implies [P n =>■ *4 n ]u, 
for each node n. Usually, u and v are tuples and every component of v is 
a component of u, so u' = u implies v' = v. In this case, one need show 
only that Ai A Inv implies [P n =>■ *4 n ]u, for each n. By definition of A n , this 
means proving 

P n AM A Inv => (3m e E{n) : £ m A P' d{m) ) V (u' = v) 

for each node n. This formula asserts that an Ai step that starts with P n 
and Inv true and changes v is an £ m step that ends in a state satisfying 
Pd( m ), for some edge m originating at node n. 

4 Illustrating Proofs 

In TLA, there is no distinction between a specification and a property; they 
are both formulas. Verification means proving that one formula implies 
another. A practical, relatively complete set of rules for proving such im- 
plications is described in [3]. We show here how predicate-action diagrams 
can be used to illustrate these proofs. We take as our example the same one 
treated in [3], that the specification $ defined in Section 4.1 below implies 
the specification <I> defined in Section 2 above. 

4.1 Another Specification 

We define a TLA formula $ describing a program with two processes, each 
of which repeatedly loops through the sequence of operations P(sem); in- 
crement; V(sem), where one process increments x by one and the other 
increments y by one. Here, P(sem) and V(sem) denote the usual operations 
on a semaphore sera. To describe this program formally, we introduce a 
variable pc that indicates the control state. Each process has three control 
points, which we call "a" , "b" , and "g" . (Quotes indicate string values.) 

We motivate the definition of $ with the three predicate-action diagrams 
for $ in Figure 10. In these diagrams, the predicate PC(p, q) asserts that 
control is at p in process 1 and at q in process 2. Figure 10(a) shows how the 
control state changes when the P(sem), V(sem), and increment actions are 
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performed. Variables other than pc not mentioned in an edge label are left 
unchanged by the indicated steps — for example, steps described by the edge 
labeled x' = x + 1 leave y and sera unchanged — but this is not asserted by 
the diagram. The next-state action M is written as the disjunction M\ VA^ 
of the next-state actions of each process; and each Mi is written as the 
disjunction « ! V/3 ! 'V7,'. Figure 10(b) illustrates this decomposition. Finally, 
the predicate-action diagram of Figure 10(c) describes how the semaphore 
variable sera changes. 

To write the specification we let pc be a function with domain {1, 2}, 
with pc[i] indicating where control resides in process i. The formula PC(p, q) 
can then be defined by 

PC{p, q) = (pc[l] = p) A (pc[2] = q) 

The semaphore actions P and V are defined by 

P(sem) = A 0 < sera V(sem) = sera' = sera + 1 

A sera' = sera — 1 

Missing from Figure 10 are a specification of the initial values of x and y, 
which we take to be zero, and a fairness condition. One could augment 
predicate-action diagrams with some notation for indicating fairness condi- 
tions. However, the conditions that are easy to represent with a diagram are 
not expressive enough to describe the variety of fairness requirements that 
arise in practice. The WF and SF formulas, which are expressive enough, 
are not easy to represent graphically. So, we have not attempted to rep- 
resent fairness in our diagrams. We take as the fairness condition for our 
specification $ strong fairness on the next-state action Mi of each process. 
The complete definition of $ appears in Figure 11. 

4.2 An Illustrated Proof 

The proof of $ =^ $ is broken into three parts: 

1. Initq, =^ Init® 

2. Inity A a[M] w => 0[M]( Xty } 

3. V^WF {Xiy) (Mi), fori = 1,2 
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Initis = A pc = [i £ {1, 2} H> "a"] /?i = A pc[l] = "b" 

A (a; = 0) A (y = 0) A pc' = [pc except ![1] = "g" 

A sem = 1 A x' = x + 1 

a, ^ A (pc[i] = "a") A (0 < sem) A <f> sem >' = <f' sem > 

A pc' = [pc except ![i] = "b"] /3 2 = A pc[2] = "b" 
A sem' = sem — 1 A pc' = [pc except ![2] = "g" 

A (x, y)' = (x,y) A y' = y + 1 

7i ± A pc[i] = "g" A Sem ^' = S6m > 

A pc' = [pc except ![i] = "a"] Mi = a 8 - V /? 8 - V 7 8 

A sem' = sem + 1 TV = 7V"i V 7V 2 

w = (a;, j/, sem, pc) 



A («, t/)' = {x, y) 



tf = /nii* A D[M] W A SF„,(M) ASF,^) 
Figure 11: The specification \P. 

We illustrate the proofs of 2 and 3 with the predicate-action diagram of 
(x, y, sem, pc) for \P in Figure 12, where (J is defined by 

Qi(p,q) = APC(p,q) 

A sem = i 

A (a: G iVorf) A (y G iVa£) 

and Nat is the set of natural numbers. 

First, we must show that the diagram in Figure 12 is a predicate-action 
diagram for \P. This is easy; no invariant is needed. For example, the 
condition to be proved for the node labeled Q 0 ( "b" , "a") is that an Af step 
that starts with Q 0 ( "b" , "a") true is an A4\ step (one that increments x and 
leaves y unchanged) that makes Qo("g' , "a") true. This follows easily from 
the definitions of Q and Af, since an Af step starting with PC( "b" , "a") true 
must be a (3\ step. 

To prove condition 2, it suffices to prove that every step allowed by the 
diagram of Figure 12 is a [A^]^^ step. The steps not shown explicitly 
by the diagram are ones that leave w unchanged. Such steps leave (x,y) 
unchanged, so they are [A^]^^ steps. The actions labeling all the edges of 
the diagram imply [A^]^^, so all the steps shown explicitly by the diagram 
are also [A^]^^) steps. This proves condition 2. 

We now sketch the proof of condition 3. To prove WF^^ (Mi) , it suffices 
to show that infinitely many {M.i)( x ^ y ) steps occur. We first observe that 
each of the predicates labeling a node in the diagram implies that either 
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(x,y)' = (x,y) 




(x,y)' = (x,y) 



Figure 12: Another predicate-action diagram of (x,y, sem, pc) for 

{N\) w or (Nzjw is enabled. The fairness condition of $ then implies that a 
behavior cannot remain forever at any node, but must keep moving through 
the diagram. Hence, the behavior must infinitely often pass through the 
<5i("a","a") node. The predicate Q 1 ("a","a") implies that both {Afi) w 
and (Nzjw are enabled. Hence, the fairness condition SF U) (A / i) A SF U) (A / 2) 
implies that infinitely many (N\) w steps and infinitely many (A/^)™ steps 
must occur. Action (N\) w is enabled only in the three nodes of the top 
loop. Taking infinitely many (N\) w steps is therefore possible only by going 
around the top loop infinitely many times, which implies that infinitely 
many Ai\ steps occur, each starting in a state with Q 0 ( "b" , "a"). Since 
Q 0 ( "b" , "a") implies x £ Nat, an .Mi step starting with Q 0 ( "b" , "a") true 
changes x, so it is an {M-\)( x ,y) step. Hence, infinitely many {M-\)( x ,y) steps 
occur. Similarly, taking infinitely many (A^)^ steps implies that infinitely 
many {M-2)( x ,y) steps occur. This completes the proof of condition 3. 

Using the predicate-action diagram does not simplify the proof. If we 
were to make the argument given above rigorous, we would go through 
precisely the same steps as in the proof described in [3]. However, the 
diagram does allow us to visualize the proof, which can help us to understand 
it. 

5 Conclusion 

We have described three uses of diagrams that we believe are new: 
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• To describe particular aspects of a complex specification with a sim- 
ple diagram. An n-input C-element cannot be specified with a simple 
picture. However, we explained the specification with diagrams de- 
scribing the synchronization between the output and each individual 
input. 

• To provide complementary views of the same system. Diagrams (b) 
and (c) of Figure 10 look quite different, but they are diagrams for the 
same specification. 

• To illustrate proofs. The disjunction of the predicates labeling the 
nodes in Figure 12 equals the invariant / of the proof in Section 7.2 
of [3]. The diagram provides a graphical representation of the invari- 
ance proof. 

TLA differs from traditional specification methods in two important 
ways. First, all TLA specifications are interpreted over the same set of 
states. Instead of assigning values just to the variables that appear in the 
specification, a state assigns values to all of the infinite number of variables 
that can appear in any specification. Second, TLA specifications are in- 
variant under stuttering. A formula can neither require nor rule out finite 
sequences of steps that do not change any variables mentioned in the for- 
mula. (The state-function subscripts in TLA formulas are there to guarantee 
invariance under stuttering.) 

These two differences lead to two major differences between traditional 
state-transition diagrams and predicate-action diagrams. In traditional di- 
agrams, each node represents a single state. Because states in TLA assign 
values to an infinite number of variables, it is impossible to describe a single 
state with a formula. Any formula can specify the values of only a finite 
number of variables. To draw diagrams of TLA formulas, we let each node 
represent a predicate, which describes a set of states. In traditional dia- 
grams, every possible state change is indicated by an edge. Because TLA 
formulas are invariant under stuttering, we draw diagrams of particular state 
functions — usually tuples of variables. 

TLA differs from most specification methods because it is a logic. It 
uses simple logical operations like implication and conjunction instead of 
more complicated automata-based notions of simulation and composition [1]. 
Everything we have done with predicate-action diagrams can be done with 
state-transition diagrams in any purely state-based formalism. However, 



17 



conventional formalisms must use some notion of homomorphism between 
diagrams to describe what is expressed in TLA as logical implication. 

Most formalisms employing state-transition diagrams are not purely 
state-based, but use both states and events. Nodes represent states, and 
edges describe input and output events. The meaning of a diagram is the 
sequence of events it allows; the states are effectively hidden. In TLA, there 
are only states, not events. Systems are described in terms of changes to 
interface variables rather than in terms of interface events. Variables describ- 
ing the internal state are hidden with the existential quantifier 3 described 
in [3]. Changes to any variable, whether internal or interface, can be indi- 
cated by node labels or edge labels. Hence, a purely state-based approach 
like TLA allows more flexibility in how diagrams are drawn than a method 
based on states and events. 
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